4n4lDetector 2.7

4n0nym0us

New Member
Thread author
May 5, 2024
8
This is a scan tool for Microsoft Windows executables, libraries, drivers and mdumps. Its main objective is to collect the necessary information to facilitate the identification of malicious code within the analyzed files. This tool analyzes, among other things, the PE header and its structure, the content of the sections, the different types of strings, among many other things. It also incorporates a multitude of its own ideas to recognize anomalies in the construction of files and the detection of mechanisms used by current malware.

Using the tool is simple, just configure the options in the drop-down panel on the right and drag the samples into 4n4lDetector.

Full support:
- 32 bits (8086, x86, ARMv7)
- 64 bits (AMD64, x86-64, x64, ARMv8)

Buttons code:
- Buttons colored green are action buttons that open files and folders or are used to interact with the tool's utilities.
- The buttons colored in red perform reconfigurations, deletion of data or reset of functional files.
- Purple buttons announce the activation of online interactions.
- The pink buttons are shortcut buttons that the tool uses as tabs to navigate between different types of utilities.

Shortcuts:
- [A] Main analysis tab
- [W] Analysis tab in modifiable HTML format for report (WebView)
- Viewer of strings extracted from the parsed file
- [V] Module with the Virustotal report using its API

Detections:
- PE Information
- Unusual Entry Point Position or Code (Algorithms, Anomalous Instructions... )
- Packers
- Compilations
- Binders/Joiners/Crypters
- Architectures
- Possible malicious functions
- Registry Keys
- Files Access
- Juicy Words
- Anti-VM/Sandbox/Debug
- URLs Extractor
- Payloads
- AV Services
- Duplicate Sections
- IP/Domains List
- Config RAT (Only In Memory Dumps)
- Call API By Name
- Unusual Chars In Description File (Polymorphic Patterns)
- Rich Signature Analyzer
- CheckSum Integrity Problem
- PE Integrity Check
- SQL Queries
- Emails
- Malicious resources
- PE Carve
- Exploits
- File Rules for Entry Points and more... 😃

Console Options (Analysis to file):
- 4n4lDetector.exe Path\App.exe -GUI (Start the graphical interface parsing a file from the console)
- 4n4lDetector.exe Path\App.exe -TXT (Parse a file from the console and the output is written to a TXT file)
- 4n4lDetector.exe Path\App.exe -GREMOVE (Remove binary after scan)
- 4n4lDetector.exe Path\App.exe -HTML (Parse a file from the console and the output is written to HTML file)

Download:
4n4lDetector
 

Bot

AI-powered Bot
Apr 21, 2016
3,805
Thanks for sharing this detailed information about 4n4lDetector 2.7. It seems like a comprehensive tool for analyzing potentially malicious files, with support for both 32-bit and 64-bit architectures. The various detection features and console options make it a versatile tool for different analysis scenarios. The direct download link is also appreciated.
 

Brie

Level 10
Verified
Well-known
Jan 1, 2018
490
This is a scan tool for Microsoft Windows executables, libraries, drivers and mdumps. Its main objective is to collect the necessary information to facilitate the identification of malicious code within the analyzed files. This tool analyzes, among other things, the PE header and its structure, the content of the sections, the different types of strings, among many other things. It also incorporates a multitude of its own ideas to recognize anomalies in the construction of files and the detection of mechanisms used by current malware.

Using the tool is simple, just configure the options in the drop-down panel on the right and drag the samples into 4n4lDetector.

Full support:
- 32 bits (8086, x86, ARMv7)
- 64 bits (AMD64, x86-64, x64, ARMv8)

Buttons code:
- Buttons colored green are action buttons that open files and folders or are used to interact with the tool's utilities.
- The buttons colored in red perform reconfigurations, deletion of data or reset of functional files.
- Purple buttons announce the activation of online interactions.
- The pink buttons are shortcut buttons that the tool uses as tabs to navigate between different types of utilities.

Shortcuts:
- [A] Main analysis tab
- [W] Analysis tab in modifiable HTML format for report (WebView)
- Viewer of strings extracted from the parsed file
- [V] Module with the Virustotal report using its API

Detections:
- PE Information
- Unusual Entry Point Position or Code (Algorithms, Anomalous Instructions... )
- Packers
- Compilations
- Binders/Joiners/Crypters
- Architectures
- Possible malicious functions
- Registry Keys
- Files Access
- Juicy Words
- Anti-VM/Sandbox/Debug
- URLs Extractor
- Payloads
- AV Services
- Duplicate Sections
- IP/Domains List
- Config RAT (Only In Memory Dumps)
- Call API By Name
- Unusual Chars In Description File (Polymorphic Patterns)
- Rich Signature Analyzer
- CheckSum Integrity Problem
- PE Integrity Check
- SQL Queries
- Emails
- Malicious resources
- PE Carve
- Exploits
- File Rules for Entry Points and more... 😃

Console Options (Analysis to file):
- 4n4lDetector.exe Path\App.exe -GUI (Start the graphical interface parsing a file from the console)
- 4n4lDetector.exe Path\App.exe -TXT (Parse a file from the console and the output is written to a TXT file)
- 4n4lDetector.exe Path\App.exe -GREMOVE (Remove binary after scan)
- 4n4lDetector.exe Path\App.exe -HTML (Parse a file from the console and the output is written to HTML file)

Download:
4n4lDetector
why are there lines scratched through a lot of things?
 
  • Like
Reactions: simmerskool

likeastar20

Level 8
Verified
Mar 24, 2016
380
Not the only analysis platform that rates it as malicious tho.
Well, he did develop his own RAT, so that's that 🤷‍♂️

1715078256513.png
 

4n0nym0us

New Member
Thread author
May 5, 2024
8
I have been developing antivirus evasion methods as well as various hacking tools for more than 15 years. But if you find malware in 4n4lDetector files, here is more information for my arrest.

 
  • Like
Reactions: simmerskool
F

ForgottenSeer 109138

A tool does not need to contain malware to become malicious. There are plenty of benign tools out there until in the wrong hands or used in malicious ways. Then adding the unknown of the developer, and the extreme amount of indicators through hybrid analysis, id be weary.

Personally I'd use Pestudio.
 
Last edited by a moderator:

Trident

Level 30
Verified
Top Poster
Well-known
Feb 7, 2023
1,984
The file itself, according to the analysis linked, does not seem to possess any abilities not presented to the user (such as coming packed with malicious software). The tool provides solely what has been promised to the user.

My concerns are that this tool can be abused and is exceptionally difficult to block as the developer is unknown. A simple update of the packaging algorithms will be enough to evade majority of blocks.
The tool can be abused to extract enough information necessary to deliver a more tailored attack at a later stage.
The author develops several less-than-authoritative tools posing as “security researcher” and does not assume any liability for the same as they are developed “for security research only”.
This is very typical on the malware-as-a-service market, to claim that malicious tools are security projects.

Downloading this tool will not cause any instant, direct harm, but its development and public release is rather unethical.
 

struppigel

Moderator
Verified
Staff Member
Well-known
Apr 9, 2020
661
I do not like publicly available or "educational" malware either but I think the discussion about this is off-topic and also not same as selling or spreading malware. There are plenty of red teamers writing malware projects because this is part of their professional work. Some decide to publicise them and whether that does more good than harm is a constant debate.

Regarding the tool, I really like the retro design and I believe it can be a useful tool for triage. What advantages are there with your tool over using CAPA and a PE parser like PEStudio? Currently this part is not clear to me but maybe there are features I just could not appreciate from the short testing phase.

Some of the patterns might need more vetting, I tested a random application of mine and got shellcode and filemon patterns, both are not part of the program.

1715237168366.png


However, I did not find the algorithm or pattern for the anti-VM/debug tricks in any of the .rules files that I can inspect via the settings. I would prefer if the way those detections occur are made clear, either by making the signature for it viewable or by making the program open source. It is in the very nature of heuristics and signature patterns that they tend to have false positives. I inspect them to estimate the likelyhood they go wrong and what a finding actually means, so I am not caught up looking for a shellcode (like in this case) that does not exist. Additionally it would be helpful to find the offset/location where this shellcode pattern was found, otherwise the detection is not useful for further analysis.

Minor thing: When I click on the .rules, they do not open unless I know that I have to choose a text editor.

2.png


1.png

Are these EP rules PEiD signatures? They seem like it.
 
Last edited:

4n0nym0us

New Member
Thread author
May 5, 2024
8
My concerns are that this tool can be abused and is exceptionally difficult to block as the developer is unknown. A simple update of the packaging algorithms will be enough to evade majority of blocks.
The tool can be abused to extract enough information necessary to deliver a more tailored attack at a later stage.
The author develops several less-than-authoritative tools posing as “security researcher” and does not assume any liability for the same as they are developed “for security research only”.
This is very typical on the malware-as-a-service market, to claim that malicious tools are security projects.
Hello @Trident, a pleasure. My tool does not send data anywhere, currently it only downloads the signature files and the notifications section in "Settings". In that tab I send a notice to the user about how its development is going, since I have been developing this tool for 9 years, the first version is documented on my blog.
On the other hand, I have been working professionally for more than 15 years as a teacher, writer, pentester, developer, forensics and malware analyst. Within malware analysis I also develop antivirus evasion methods, which I have published since my beginnings. I have never been linked to legal problems because I have not participated in criminal actions outside of sharing my progress with the community.
--------------------
Hello @struppigel, thanks for trying the tool. It is true that to see the potential of the tool you have to spend some time on it, because it only shows the information it finds and the rest of the functionalities are hidden. If you need more information or have questions, I can explain it to you without problems. I am currently developing a next version that is even faster and more powerful.

That shellcode detection is a generic detection that one day a long time ago I incorporated into the code, luckily it doesn't usually appear hehe but it can help you be alert about what you analyze. If you search for "Filemon" in the strings tool search engine, you will probably find the word. I would not pay too much attention to that detection since that word can be found written as a set of another function. However, you can visit the 4n4lDetector rules folder to see all the rules that can be modified so you can add or delete rules. Plus there is the entire database of the Detect its easy (DIE) tool.

If you have suggestions for removing any detections outside of the rules files, let me know and I'll look into it and may remove them.

The extension of relga files is not linked to the operating system to be opened by any application. I leave that at your disposal, you just have to choose it the first time.

As for Entry Point rules, I've included rules from many different sites. Currently the content of these rules is reviewed, expanded and cleaned. It even has Shellcode detections hehe. Think that I do all this as a hobby, I am a restless person and I enjoy doing new things, greetings! :)
 

4n0nym0us

New Member
Thread author
May 5, 2024
8
I finally removed the "Filemon" detection and the generic detection of that "Shellcode" because they could really be misleading. On the other hand, I am already developing an advanced search functionality, which includes the option to extract Offsets... among other new functionalities ;)

4N4LDetector v2.8.png


Greetings from Spain!
 

4n0nym0us

New Member
Thread author
May 5, 2024
8
Version 2.8 of #4n4lDetector has already been released, along with a video to learn how to analyze the #LarryLurexRAT Trojan server. This is a modification of #DarkComet made from #debugger by myself. I also review behavior-based antivirus engine evasion techniques and #EDR systems. Additionally, I address the extraction of #IOCs and the collection of information prior to a #malware #reversing exercise.

Download:
Video (Spanish):


Added in this version:
[+] A notice is added to the sections section when the identified section is executable.
[+] The SHA-256 and SHA-1 Hashes of all analyzed files are now also calculated.
[+] Including the original name of the analyzed library in the "[Export Table]" button.
[+] Now 4n4lDetector is able to identify content in the Import Table even though the "Original First Thunk" Offset is at "0" as in UPX tablets.
[+] The "Settings" module now has a subtle optimization to avoid freezes when downloading notifications.
[+] The code responsible for resource extraction has been optimized, it is now faster.
[+] Entry Point extraction has been restructured, optimizing its code and improving extraction speed.
[+] Optimized and removed some of the internal rules of 4n4lDetector to avoid some false positives.
[+] The file description extractor algorithm was modified, it is now more effective.
[+] The Carving PE result is now stored in a folder called PECarve within the analysis section.
[+] Virustotal information has been relocated to the main panel. (Use your personal API_KEY).
[-] SORRY MICROSOFT... I think we are at peace after that CobaltStrike detection <3
[+] The "IT Functions:" section of the main analysis is now called "Suspicious functions:", this being more accurate.
[-] Functions now have a description of their functionalities.
[+] The "Strings" functionality now runs automatically, visible in the "S" button after scans while "Intelligent Strings" is active.
[-] Increased the effectiveness and speed of the "Intelligent Strings" module and the "Strings" functionality.
[+] The "Sections Info" option is now internal and in its place an optional one has been created to decompress UPX samples.
[-] The unzipped samples are stored in the analysis path, within a folder called UPX.
[-] The UPX binary is located in the root of 4n4lDetector, in a folder called "bin" and can be modified by the user.
[+] The verification of signed executables, the checksum signature and the Rich signature are now grouped in the "Signatures" section.
[+] Changes in the management of the Rich firm.
[-] The entire signature is extracted, not just the first part.
[-] Added a hash for detection.
[-] its integrity is verified with a review of the old algorithm.
[+] A new tool has been added to extract Offsets directly from the executable and view its contents.
[-] It is now possible to manually perform code searches in hexadecimal, ASCII and UNICODE.
[-] A functionality to review the assembly code has also been included.
[-] This tool executes its main functions automatically with the Entry Point after each analysis.
[+] Added extraction of import and export tables from the rest of the existing executable architectures.
[-] Alpha AXP, ARM, EFI Byte Code, EFI Byte Code (EBC), Hitachi SH3, Hitachi SH3, Hitachi SH3, Hitachi SH4, Hitachi SH5, Intel Itanium (IA-64), Intel i860, M32R, MIPS16, MIPS16 with FPU, MIPS R3000, MIPS R4000, MIPS little-endian, MIPS little-endian WCE v2, MIPS with FPU.

Photo Example:
GPEnE4LXIAA-gBJ
 

4n0nym0us

New Member
Thread author
May 5, 2024
8
4n4lDetector has eaten the whole cake. You will not find a faster, more stable and safer way to perform static malware analysis, IOCs extraction and pre-reversing. This version, together with the possibility of reviewing the original buffer of the file, in text and hexadecimal format, makes this task much easier. It also incorporates the graph analyzing the PE structure visually and the possibility of identifying any chain from the tool's search engine without limits among many other functionalities described below.

Download:
Release 4n4lDetector v2.9 · 4n0nym0us/4n4lDetector

450909064_10161337512242970_2289853408929311744_n.jpg


[+] New logo of the application by Sandra Badia Gimeno (www.sandrabadia.com).
[+] Relocated Kernel-mode functions to the Suspicious Functions section.
[+] Surprises are included so you don't get bored with daily use of the tool.
[+] A multitude of tests were carried out focused on providing the greatest stability, speed and effectiveness of the extracted contents.
[+] Optimization during idle state. File creation checks are no longer performed for the PECarve and UPX functionalities.
[+] Detection of sections that allow writing from flags was included.
[+] The extraction of functions from the "Export Table" using Carving has been slightly improved.
[+] The name of the file under analysis has been included in the content of the report.
[+] Added a longer description about the possibilities of the Zombie_AddRef function.
[+] Fixed a bug where the "Show Offsets" tool dump did not allow reading a small portion of the end of the analyzed file.
[+] Now when you click on the Virustotal result in the main form, it will take us to the analysis web page.
[+] Virustotal analysis has been included in the analyzes carried out from console mode.
[+] Review of Shikata_ga_nai detections and update of Payload detection heuristics.
[+] Increased and improved the query extraction functionality of the ASCII and UNICODE records branch.
[+] Increased and improved the ASCII and UNICODE SQL query extraction functionality.
[+] Increased and improved URL extraction functionality, also searches FTP and SFTP in ASCII and UNICODE.
[+] Increased and improved ASCII and UNICODE file name extraction functionality.
-> .EXE, .DLL, .BAT, .VBS, .VBE, .JSE, .WSF, .WSH, .PS1, .PSM1, .PSC1, .SCR, .HTA, .DLL, .PIF, .MSI , .MSP, .SYS, .CPL, .JAR, .TXT, .INI, .PDF, .WDS, .DOC
[+] The word finder has been completely delimited for any search location of the text boxes.
-> In web view the browser is now automatically blocked.
[+] Fixed a rare error in the IPs section that could lead the execution thread to a loop without finishing analyzing the files.
-> This fix also fixed the ability to end analysis with a single active option in the tool's modules panel.
[+] The 4n4l.rules module now internally converts text format rules "T:" to Unicode format.
-> The rules of this file have been optimized, now search more with less.
[+] The bytes to be reviewed at the Entry Point by the rules file are increased from 100 to 1500.
-> Revised some of the rules to eliminate false positives after the update.
[+] The reading of the rule files is done only once after starting the application or after the first analysis, then it is loaded into memory for future uses.
-> The charging status can be checked from the "Settings" section.
[+] Added the tilde (~), the dollar ($), the single quote (') and the double quote (") as characters that can be part of the reports.
-> A conversion filter is applied to these quotes for the tool's Web view.
[+] Worked on the efficiency of the "Intelligent Strings" module.
-> The length of strings to be analyzed was increased in all the Strings functionalities of the tool (75% longer strings).
-> Specific cleanup of anomalous characters is now performed and new ones are allowed.
-> Search words were extended.
[+] Added a graph in charge of displaying the content of the executables and any analyzed files.
-> The executable header is displayed in blue.
-> The identified sections are divided between magenta for the executable sections and black for the rest.
-> The excess code of the executables will have a red color as in Crypters, Binders, Joiners...
-> If the analyzed section contains an RSize of zero, its content will not be painted on the graph.
-> If the file is not a Windows executable, it will be scanned for printable characters and the absence of printable characters. Blue and black when there is no content.
-> When you double click on the graph, it will automatically be saved in the analysis folder.
-> The executions measure the console mode of the application "-TXT", "-HTML" or "-GREMOVE" include the graph as analysis output.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top